WordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ is committed to protecting accounts that play a crucial role in the WordPress ecosystem. Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide. Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.
As part of this ongoing effort, we are introducing a new security requirement: mandatory two-factor authentication (2FA) for plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and theme authors, starting on October 1st, 2024.
In addition to mandatory 2FA, we’re introducing SVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on WordPress.org. It's similar to git. passwords, replacing your user account password with an SVN-specific password for committing changes.
Configuring 2FA on Your Account
You may have noticed prompts when logging in to WordPress.org encouraging you to configure 2FA. If you haven’t yet, visit this link to do so: https://profiles.wordpress.org/me/profile/security.
Please ensure you store your backup codes securely, if you lose access to your two-factor authentication method and your backup codes, the process to regain access to your account may not be easy.
Separating SVN Password from Your WordPress.org Account
We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials. Generate your SVN password in your WordPress.org profile.
If you’re using a deployment script, such as a GitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ Action, you’ll need to update your stored password with this SVN password as well.
Why not use 2FA with SVN?
Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy Launching code from a local development environment to the production web server, so that it's available to visitors.-time security features (such as Release Confirmations).
Need Support?
If you encounter any difficulties while setting up 2FA, follow the steps outlined in Configuring Two-Factor Authentication.
Additional information for generating SVN passwords can be found in Subversion Access.
If you’re a plugin author and haven’t read @chriscct7’s post Keeping Your Plugin Committer Accounts Secure, now’s a great time to do so.
If you find any bugs, have feedback or need more support, please reach out in the #meta slack channel or follow up here (don’t share any private information though).
+make.wordpress.org/themes/ +make.wordpress.org/meta/
#2fa, #security